-
Notifications
You must be signed in to change notification settings - Fork 698
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new templated rules for System.map files #11640
Add new templated rules for System.map files #11640
Conversation
Updated rule description and used the file_permissions template.
The file_permissions_systemmap rule is using the file_permissions template, which can't safely manage test scenarios with regex.
Rules related to System.map files are now complete. The file_permissions_systemmap rule was also removed from the "default" profile for RHEL products since it is now included in ANSSI control file.
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap'.
--- xccdf_org.ssgproject.content_rule_file_permissions_systemmap
+++ xccdf_org.ssgproject.content_rule_file_permissions_systemmap
@@ -1,17 +1,23 @@
[title]:
-Verify that local System.map file (if exists) is readable only by root
+Verify Permissions on System.map Files
[description]:
-Files containing sensitive informations should be protected by restrictive
- permissions. Most of the time, there is no need that these files need to be read by any non-root user
+The System.map files are symbol map files generated during the compilation of the Linux
+kernel. They contain the mapping between kernel symbols and their corresponding memory
+addresses. In general, there is no need for non-root users to read these files.
-To properly set the permissions of /boot/System.map-*, run the command:
-$ sudo chmod 0600 /boot/System.map-*
+
+To properly set the permissions of /boot/System.map*, run the command:
+$ sudo chmod 0600 /boot/System.map*
+
+[reference]:
+R29
[rationale]:
-The System.map file contains information about kernel symbols and
- can give some hints to generate local exploitation.
+The purpose of System.map files is primarily for debugging and profiling the kernel.
+Unrestricted access to these files might disclose information useful to attackers and
+malicious software leading to more sophisticated exploitation.
[ident]:
CCE-82892-1
OVAL for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap' differs.
--- oval:ssg-file_permissions_systemmap:def:1
+++ oval:ssg-file_permissions_systemmap:def:1
@@ -1,2 +1,2 @@
criteria AND
-criterion oval:ssg-test_permissions_systemmap_files:tst:1
+criterion oval:ssg-test_file_permissions_systemmap_0:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap' differs.
--- ocil:ssg-file_permissions_systemmap_ocil:questionnaire:1
+++ ocil:ssg-file_permissions_systemmap_ocil:questionnaire:1
@@ -1,7 +1,7 @@
-To check the permissions of /boot/Sysem.map-*,
+To check the permissions of /boot/System.map*,
run the command:
-$ ls -l /boot/Sysem.map-*
+$ ls -l /boot/System.map*
If properly configured, the output should indicate the following permissions:
-rw-------
- Is it the case that ?
+ Is it the case that /boot/System.map* does not have unix mode -rw-------?
New data stream adds bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap'.
New data stream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap'. |
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
I observed that there is no |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have run them locally and they have passed. Also, I have reviewed the code.
jcerny@fedora:~/work/git/scap-security-guide (pr/11640)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 file_groupowner_systemmap file_owner_systemmap file_permissions_systemmap
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-03-01-1604/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_permissions_systemmap
INFO - Script correct_multiple_files.pass.sh using profile (all) OK
INFO - Script correct_permissions.pass.sh using profile (all) OK
INFO - Script lenient_multiple_files.fail.sh using profile (all) OK
INFO - Script lenient_permissions.fail.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
INFO - Script stricter_permisions.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_file_groupowner_systemmap
INFO - Script correct_groupowner.pass.sh using profile (all) OK
INFO - Script correct_groupowner_multiple_files.pass.sh using profile (all) OK
INFO - Script incorrect_groupowner.fail.sh using profile (all) OK
INFO - Script incorrect_groupowner_multiple_files.fail.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_file_owner_systemmap
INFO - Script correct_owner.pass.sh using profile (all) OK
INFO - Script correct_owner_multiple_files.pass.sh using profile (all) OK
INFO - Script incorrect_owner.fail.sh using profile (all) OK
INFO - Script incorrect_owner_multiple_files.fail.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/11640)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible file_groupowner_systemmap file_owner_systemmap file_permissions_systemmap
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-03-01-1609/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_permissions_systemmap
INFO - Script correct_multiple_files.pass.sh using profile (all) OK
INFO - Script correct_permissions.pass.sh using profile (all) OK
INFO - Script lenient_multiple_files.fail.sh using profile (all) OK
INFO - Script lenient_permissions.fail.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
INFO - Script stricter_permisions.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_file_groupowner_systemmap
INFO - Script correct_groupowner.pass.sh using profile (all) OK
INFO - Script correct_groupowner_multiple_files.pass.sh using profile (all) OK
INFO - Script incorrect_groupowner.fail.sh using profile (all) OK
INFO - Script incorrect_groupowner_multiple_files.fail.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_file_owner_systemmap
INFO - Script correct_owner.pass.sh using profile (all) OK
INFO - Script correct_owner_multiple_files.pass.sh using profile (all) OK
INFO - Script incorrect_owner.fail.sh using profile (all) OK
INFO - Script incorrect_owner_multiple_files.fail.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml
Outdated
Show resolved
Hide resolved
Co-authored-by: Jan Černý <jcerny@redhat.com>
0807a5f
to
87e45d2
Compare
Code Climate has analyzed commit 87e45d2 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.8% (0.0% change). View more on Code Climate. |
/retest |
Description:
There was the
file_permissions_systemmap
rule but it didn't have remediation or test scenarios.Following the standard for other similar files, it was ensured three specific templated rules to deal with files permissions, ownership and group-ownership:
These three rules also allow us to change the status of ANSSI R29 from
partial
toautomated
.Rationale:
More granular rules for System.map files
Better alignment with ANSSI.
Review Hints:
Since these are templated rules, automatus tests should be enough.